Graduated Physical Actuation Modes
by Nick Clark | Published April 25, 2026
Confidence governance applied to physical actuators produces eleven structurally distinct execution modes, each selected by composite admissibility against governance policy. The modes are not points on a continuous spectrum; they are categorically different operational outcomes that current binary permit-suppress architectures cannot represent.
Eleven Modes, Each Structurally Distinct
The graduated mode set comprises: simulated (the action is computed but not committed even to internal state), advisory (the contemplated action is displayed to a human operator without commanding the actuator), consultative (the action requires explicit human ratification before commit), shadowed (the action is logged and verified in parallel with continued human or fallback control), partial (a fraction of the requested authority is committed), constrained (committed within a reduced operational envelope), stage-gated (committed in successive bounded stages with intermediate evaluation), deferred (held pending additional evidence), full (committed at full requested authority), emergency-accelerated (committed at elevated priority under preemption budget), and emergency-overridden (committed despite ordinary admissibility failure under credentialed override).
Each mode is a categorically distinct operational outcome with audit-grade lineage. The mode is selected by a composite admissibility evaluator that consumes authority, evidential weighting, capability envelope, temporal scope, and disposition into a single deterministic computation against the governance policy in force.
Why Eleven and Not Three or Twenty
The mode set is the result of structural decomposition rather than enumeration. Each mode corresponds to a distinct combination of (commit authority level) × (verification requirement) × (reversibility envelope) × (operator involvement) that real autonomous-physical systems demonstrably need.
Smaller mode sets — full, partial, halt — collapse meaningfully different operational outcomes. Larger sets become operationally indistinguishable. Eleven matches the empirical structure of how regulated autonomous systems actually operate across automotive, medical, industrial, and defense deployments. The mode set is extensible (new modes register through credentialed governance update) but the eleven cover the dominant patterns.
How Mode Selection Composes With Existing Safety
The mode-selection computation runs above existing functional-safety logic (ISO 26262, IEC 61508, IEC 61511, etc.). The functional-safety floor remains the unconditional bound: actions that violate the floor are unconditionally suppressed regardless of admissibility. Above the floor, mode selection consumes the admissibility computation against the governance policy and produces the appropriate mode.
Mode selection is deterministic and lineage-recorded. The same input produces the same mode. Every selection records the supporting computation: which authority's credential was admitted, which evidential factors weighted toward which mode, what the policy specified for the operating context. Audit reconstruction can verify any past mode selection from the recorded lineage alone.
What Eleven Modes Enable Operationally
Graduated modes enable response patterns that binary architectures cannot. Incident response can shift a fleet from full to constrained without service halt. Edge-case handling can defer action pending additional evidence rather than committing under uncertainty. Human-collaborative operation can run shadowed mode during teleoperation with audit-grade lineage of the contemplated commands.
Cross-jurisdictional fleet operation handles transitions through governance-credentialed mode-restriction policy. A fleet entering a new jurisdiction consumes the local authority's policy and adjusts mode set accordingly. The architecture supports configuration-driven multi-jurisdictional deployment where current architectures require per-jurisdiction re-engineering.
